User ID already taken

[net47]

Describe the bug
Following up with #4193, using on_conflict: add I still get the following error:

2025-11-01T00:54:51.363973Z DEBUG mas_matrix_synapse::modern:223 GET-53 - Localpart is not available error=M_USER_IN_USE: User ID already taken. error.sources=[HTTP status client error (400 Bad Request) for url (https://chat.example.com/_synapse/mas/is_localpart_available?localpart=dt)]

In the browser accessing MAS and logging in with my Authentik IDP, I see:

Unexpected error
Localpart not available

Localpart "dt" is not available on this homeserver

To Reproduce
Migrate from plain OIDC (Authentik) to MAS, where users with the same name (obviously) already exist. Use this MAS config:

upstream_oauth2:
  providers:
    - id: 01K8Y7EJ9992YZQVH27FDE0BC0
      human_name: Authentik
      issuer: "https://auth.example.com/application/o/chat/"
      client_id: "REDACTED"
      client_secret: "REDACTED"
      token_endpoint_auth_method: client_secret_basic
      scope: "openid profile email"
      claims_imports:
        localpart:
          action: require
          on_conflict: add
          template: "{{ user.preferred_username }}"
        displayname:
          action: suggest
          template: "{{ user.name|capitalize }}"
        email:
          action: suggest
          template: "{{ user.email }}"
          set_email_verification: always

Using template: "{{ user.preferred_username }}_" doesn't throw an error anymore and moves on with the initial user registration, but then the username is in my case dt_ which is not desired behaviour. It should just map the existing user and not create a new one with an underscore in my example.

Expected behavior
Existing IDP users can login and get mapped to their existing Matrix users.

Screenshots
none

Additional context
MAS version 1.5.0
Authentik version 2025.10.0

[lhns]

I had the same problem but it turned out i just had to run the migrations properly:
https://element-hq.github.io/matrix-authentication-service/setup/migration.html#doing-the-migration

[net47]

I had the same problem but it turned out i just had to run the migrations properly: https://element-hq.github.io/matrix-authentication-service/setup/migration.html#doing-the-migration

Tried that already, but maybe had a misunderstanding... doing the dry run migration already using matrix_authentication_service in homeserver.yaml I get:

===== Errors =====
These issues prevent migrating from Synapse to MAS right now:

• Synapse database contains 3 users associated to the OpenID Connect or OAuth2 provider 'oidc-authentik' but the Synapse configuration does not contain this provider.

Which is in my understanding a chicken-egg-problem. I cannot configure upstream OIDC providers without doing the migration, but the migration doesn't work if I have the "old" oidc_providers section inside homeserver.yaml.

[lhns]

Shouldn't the mapping configuration here address this?
https://element-hq.github.io/matrix-authentication-service/setup/migration.html#map-any-upstream-sso-providers

Maybe you have users in the database that are registered to an oidc provider you don't have in your homeserver config anymore?